DEV Community: Joel-Steve NIKENOUEBA

Security in FastAPI: Best practices to protect your application (Part I)

Joel-Steve NIKENOUEBA — Fri, 09 Feb 2024 16:07:56 +0000

When it comes to web development, security is a major concern for all developers. With cyber-attacks and online threats on the rise, it’s essential to implement robust security measures to protect web applications. In this article, we’ll explore best practices for securing a FastAPI application, focusing on authentication, authorization, session management and protection against common attacks.

Authentication and authorization :

Authentication and authorization are two fundamental aspects of web application security. Authentication verifies a user’s identity, while authorization controls the actions a user is authorized to perform.

FastAPI offers several options for managing authentication and authorization within an application. One of the most common approaches is the use of JSON Web Tokens (JWTs). JWTs are cryptographically secure tokens that can be used to represent a user’s authentication information in a compact, secure way.

Here’s an example of code illustrating the use of JWT for FastAPI authentication with also HTTP Basic :

Create your project folder, create your virtual environment (env) and install these packages :



bcrypt==4.1.2
fastapi==0.109.2
passlib==1.7.4
PyJWT==2.8.0
python-multipart==0.0.7
uvicorn==0.27.0.post1

Now create a file with your choosing name main.py for example, copy and paste this code or write it for more understanding



import jwt
import secrets
import bcrypt
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.openapi.docs import get_redoc_html, get_swagger_ui_html
from fastapi.openapi.utils import get_openapi
from fastapi.security import HTTPBasic, HTTPBasicCredentials, HTTPBearer
from pydantic import BaseModel
from passlib.context import CryptContext
from datetime import datetime, timedelta

# Declaration of the HTTP Basic Authentication method
security = HTTPBasic()

# Declaration of the Bearer schema for token-based authentication
protocol = HTTPBearer(auto_error=False, scheme_name="Bearer")

# Initialization of the FastAPI application
app = FastAPI(
    title="API SECURITY TEST",
    description='This is SECURITY TEST API',
    version=f"0.0.1",
    docs_url=None,
    redoc_url=None,
    openapi_url=None
)

# Function to get the current username (It's a basic http login)
def get_current_username(credentials: HTTPBasicCredentials = Depends(security)):
    correct_username = secrets.compare_digest(credentials.username, "securityapi")
    correct_password = secrets.compare_digest(credentials.password, "testpassword")
    if not (correct_username and correct_password):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Incorrect username or password",
            headers={"WWW-Authenticate": "Basic"},
        )
    return credentials.username

# Route to get Swagger documentation
@app.get("/docs", include_in_schema=False)
async def get_swagger_documentation(username: str = Depends(get_current_username)):
    return get_swagger_ui_html(openapi_url="/openapi.json", title="docs")

# Route to get Redoc documentation
@app.get("/redoc", include_in_schema=False)
async def get_redoc_documentation(username: str = Depends(get_current_username)):
    return get_redoc_html(openapi_url="/openapi.json", title="docs")

# Route to get the OpenAPI JSON schema
@app.get("/openapi.json", include_in_schema=False)
async def openapi(username: str = Depends(get_current_username)):
    return get_openapi(title=app.title, version=app.version, routes=app.routes, description=app.description)

# Configuration of encryption parameters
SECRET_KEY = "your-secret-key"
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 30

# Example of a registered user (for testing)
fake_users_db = {
    "user": {
        "username": "user",
        "full_name": "Test User",
        "email": "user@example.com",
        "hashed_password": "$2b$12$vJGN.aAs5mV.KWC2Czt3PujQHXy.SVeC1UIINSGBLD0vmTfVuiGgC",  # Password: testpassword
        "disabled": False,
    }
}

# Class to represent access token data
class Token(BaseModel):
    access_token: str
    token_type: str

# Class to represent user data
class User(BaseModel):
    username: str
    email: str
    full_name: str

# Class to represent user data stored in the database
class UserInDB(User):
    hashed_password: str

# Class to represent user login data
class UserInLogin(BaseModel):
    username: str
    password: str

# Object for password encryption and hashing
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

# Function to verify if the password is correct
def verify_password(plain_password: str, hashed_password: str) -> bool:
    return bcrypt.checkpw(plain_password.encode("utf-8"), hashed_password.encode("utf-8"))

# Function to hash the password
def get_password_hash(password: str) -> str:
    salt = bcrypt.gensalt()
    return (bcrypt.hashpw(password.encode('utf-8'), salt)).decode('utf-8')

# Function to generate a JWT access token
def create_access_token(data: dict, expires_delta: timedelta):
    to_encode = data.copy()
    expire = datetime.utcnow() + expires_delta
    to_encode.update({"exp": expire})
    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
    return encoded_jwt

# Function to authenticate the user
def authenticate_user(fake_db, username: str, password: str):
    user = fake_db.get(username)
    if not user or not verify_password(password, user.get("hashed_password")):
        return False
    return user

# Function to get the current user
async def get_current_user(token: any = Depends(protocol)):
    credentials_exception = HTTPException(
        status_code=401,
        detail="Unable to validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
    try:
        payload = jwt.decode(token.credentials, SECRET_KEY, algorithms=[ALGORITHM])
        username: str = payload.get("sub")
        if username is None:
            raise credentials_exception
    except Exception as e:
        raise credentials_exception
    return username

# Route for authentication and access token generation
@app.post("/login", response_model=Token)
async def login_for_access_token(username: str, password: str):
    user = authenticate_user(fake_users_db, username, password)
    if not user:
        raise HTTPException(status_code=401, detail="Incorrect username or password")
    access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
    access_token = create_access_token(data={"sub": user["username"]}, expires_delta=access_token_expires)
    return {"access_token": access_token, "token_type": "Bearer"}

# Route for current user information
@app.get("/users/me/", response_model=User)
async def read_users_me(current_user: str = Depends(get_current_user)):
    user = fake_users_db.get(current_user)
    return user

Here is this the final result after launching the api with command : uvicorn main:app — reload

In this example, we used the Pydantic library to define data models, the Passlib library for password encryption, and the PyJWT library for JWT manipulation. We also used the HTTPBasic, HTTPBasicCredentials and HTTPBearer objects to manage authentication in FastAPI.

User authentication is verified by comparing hashed passwords stored in a dummy database with passwords supplied by users. If the authentication information is valid, a JWT access token is generated and returned to the user.

Using this authentication mechanism, you can secure your application’s routes simply by adding the Depends(get_current_user) decorator to your endpoints.

In the second part of this article, we’ll look at session management and protection against common attacks. Stay tuned!

Conclusion :
In this article, we’ve explored best practices for securing a FastAPI application by implementing authentication using JSON Web Tokens (JWT). By following these security practices, you can protect your application against unauthorized access and data breaches. In the next part of this article, we’ll look at session management and protection against common attacks.

Integrating Databases with FastAPI

Joel-Steve NIKENOUEBA — Thu, 08 Feb 2024 18:23:09 +0000

Exploring Database Integration in FastAPI Applications

In today’s digital landscape, building robust and efficient web applications often involves the integration of various types of databases. FastAPI, a modern web framework for building APIs with Python, offers seamless integration with different database systems, including SQL and NoSQL databases. In this article, we’ll delve into the process of integrating databases with FastAPI, utilizing popular libraries such as SQLAlchemy and Tortoise ORM.

Introduction to Database Integration in FastAPI:

FastAPI provides excellent support for integrating databases into your applications, allowing you to store and retrieve data efficiently. By leveraging the asynchronous capabilities of Python and integrating with powerful database libraries, FastAPI enables developers to build high-performance applications with ease.

Types of Databases Supported:
FastAPI supports integration with a wide range of database systems, including:

1 - SQL Databases: Such as PostgreSQL, MySQL, SQLite, etc.
2 - NoSQL Databases: Such as MongoDB, Redis, Cassandra, etc.

Integration with SQLAlchemy for SQL Databases:

SQLAlchemy is a popular SQL toolkit and Object-Relational Mapping (ORM) library for Python. It provides a powerful and flexible way to work with SQL databases while abstracting away the complexities of raw SQL queries. FastAPI seamlessly integrates with SQLAlchemy, allowing you to define database models and interact with the database using Pythonic syntax.

Example: Integration with SQLAlchemy:

from fastapi import FastAPI
from sqlalchemy import create_engine, Column, Integer, String
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.orm import sessionmaker

# Create FastAPI instance
app = FastAPI()

# SQLAlchemy configuration
SQLALCHEMY_DATABASE_URL = "sqlite:///./test.db"
engine = create_engine(SQLALCHEMY_DATABASE_URL)
SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
Base = declarative_base()

# Define database model
class User(Base):
    __tablename__ = "users"
    id = Column(Integer, primary_key=True, index=True)
    name = Column(String, index=True)
    email = Column(String, unique=True, index=True)

# Create tables
Base.metadata.create_all(bind=engine)

In this example, we define a User model using SQLAlchemy's declarative syntax. We then create the database tables by calling Base.metadata.create_all().

Integration with Tortoise ORM for Async SQL Databases:

Tortoise ORM is an easy-to-use asynchronous ORM inspired by Django ORM. It provides native support for asynchronous operations, making it an excellent choice for building high-performance asynchronous applications with FastAPI. Tortoise ORM seamlessly integrates with FastAPI, allowing you to define models and interact with the database asynchronously.

Example: Integration with Tortoise ORM:

from fastapi import FastAPI
from tortoise import Tortoise, fields
from tortoise.models import Model

# Create FastAPI instance
app = FastAPI()

# Tortoise ORM configuration
TORTOISE_ORM = {
    "connections": {"default": "sqlite://./test.db"},
    "apps": {
        "models": {
            "models": ["__main__"],
            "default_connection": "default",
        }
    },
}

# Define database model
class User(Model):
    id = fields.IntField(pk=True)
    name = fields.CharField(max_length=50)
    email = fields.CharField(max_length=100, unique=True)

# Initialize Tortoise ORM
Tortoise.init_models(["__main__"], "models")
Tortoise.init_models(["models"], "models")

# Create database tables
async def init():
    await Tortoise.generate_schemas()

# Run initialization function
app.add_event_handler("startup", init)

In this example, we define a User model using Tortoise ORM's syntax. We then initialize Tortoise ORM and generate the database schemas using Tortoise.generate_schemas().

Conclusion:

Integrating databases with FastAPI is straightforward and efficient, thanks to its robust support for various database systems and seamless integration with popular ORM libraries like SQLAlchemy and Tortoise ORM. By leveraging these tools, developers can build scalable and performant web applications with ease, while ensuring data integrity and reliability.

In conclusion, integrating databases with FastAPI empowers developers to create powerful and feature-rich applications that meet the demands of modern web development. Whether you’re working with SQL or NoSQL databases, FastAPI provides the tools and flexibility you need to build efficient and scalable applications.

Advanced Usage of Dependencies and Models in FastAPI

Joel-Steve NIKENOUEBA — Thu, 08 Feb 2024 18:08:50 +0000

Mastering Asynchronous Operations, Background Tasks, and Advanced Data Management

FastAPI, a modern web framework for building APIs with Python, offers powerful features for managing dependencies and models, enabling developers to create highly efficient and scalable applications. In this article, we’ll explore advanced techniques for utilizing dependencies and models in FastAPI to handle asynchronous operations, background tasks, and advanced data management.

Understanding Dependencies in FastAPI:
Dependencies in FastAPI are reusable components that can be injected into route handlers or other dependencies. They allow you to encapsulate common logic, such as authentication, database connections, or data validation, and apply it across multiple routes or applications.

Advanced Dependency Techniques:
1. Asynchronous Dependencies:
FastAPI fully supports asynchronous programming with Python’s async and await keywords. You can define asynchronous dependencies using the async def syntax, allowing for efficient handling of I/O-bound operations such as database queries or HTTP requests.

2. Background Tasks:
FastAPI provides built-in support for background tasks, allowing you to execute asynchronous tasks in the background while responding to client requests. By using background tasks, you can offload time-consuming or non-critical tasks, such as sending emails or processing data, without blocking the main request-response cycle.

3. Dependency Injection with Parameters:
Dependencies in FastAPI can accept parameters, allowing for dynamic configuration and customization. You can inject parameters into dependencies based on the request context or other runtime conditions, enabling flexible and modular application design.

Leveraging Models for Advanced Data Management:
Models in FastAPI are used to represent data structures and perform data validation. By defining Pydantic models, you can ensure that incoming request data is properly validated and serialized, improving the reliability and security of your application.

Advanced Model Techniques:
1. Custom Validation Logic:
Pydantic models support custom validation logic through the use of validation functions and class methods. You can define custom validation rules to enforce complex business logic or constraints on incoming data, ensuring data integrity and consistency.

2. Model Inheritance and Composition:
FastAPI allows for model inheritance and composition, enabling you to create complex data structures by extending or combining existing models. This approach promotes code reusability and modularity, making it easier to manage and maintain your data models as your application grows.

3. Advanced Data Serialization and Parsing:
Pydantic models support advanced data serialization and parsing capabilities, including support for nested data structures, complex data types, and custom serialization formats. You can customize how data is serialized and parsed to meet the specific requirements of your application.

Conclusion:
By mastering the advanced usage of dependencies and models in FastAPI, developers can build highly efficient, scalable, and maintainable web applications. Whether you’re handling asynchronous operations, background tasks, or advanced data management scenarios, FastAPI provides the tools and flexibility you need to create robust and reliable APIs. By leveraging these advanced features, you can take your FastAPI applications to the next level and deliver exceptional user experiences.

Unit Tests and Performance Testing with FastAPI

Joel-Steve NIKENOUEBA — Thu, 08 Feb 2024 17:57:48 +0000

Ensuring Code Quality and Application Stability

Testing is an integral part of the software development lifecycle, ensuring that applications are reliable, functional, and performant. FastAPI, a modern web framework for building APIs with Python, provides robust support for writing unit tests and performance tests to validate the functionality and performance of your applications. In this article, we’ll explore how to write unit tests and performance tests for a FastAPI application to ensure code quality and application stability.

Understanding Unit Tests in FastAPI:
Unit tests are a fundamental part of software testing, focusing on testing individual components or units of code in isolation. In FastAPI, unit tests are typically written using testing frameworks such as pytest or unittest. Unit tests allow developers to verify that individual functions, endpoints, or components of their FastAPI application behave as expected under different conditions.

Writing Unit Tests for FastAPI Applications:
1. Endpoint Testing: Unit tests for FastAPI endpoints typically involve sending mock requests to the API endpoints and asserting the expected responses. Using libraries like requests or FastAPI's built-in test client, developers can simulate HTTP requests and validate the response status codes, headers, and payload data.

2. Dependency Injection: FastAPI’s dependency injection system makes it easy to mock dependencies and isolate components for testing. By injecting mock dependencies into route handlers or other components, developers can simulate different scenarios and ensure that their application behaves correctly under various conditions.

3. Data Validation and Serialization: Unit tests for data validation and serialization in FastAPI can verify that Pydantic models correctly handle input data validation, serialization, and deserialization. By passing different input data and asserting the expected output, developers can ensure that their API endpoints handle data validation and serialization errors gracefully.

Performance Testing in FastAPI:
Performance testing is essential for evaluating the responsiveness, scalability, and efficiency of a FastAPI application under different load conditions. Performance tests involve measuring various metrics such as response times, throughput, and resource utilization to identify bottlenecks and optimize application performance.

Writing Performance Tests for FastAPI Applications:
1. Load Testing: Load testing involves simulating a high volume of concurrent users or requests to measure the application’s performance under heavy load. Using tools like locust or Apache JMeter, developers can create realistic load scenarios and measure how the application scales and performs under different levels of traffic.

2. Benchmarking: Benchmarking tests involve measuring the performance of specific endpoints or operations within the application to identify performance bottlenecks and optimize critical paths. By measuring response times, latency, and throughput, developers can pinpoint areas for improvement and optimize the application’s performance.

3. Stress Testing: Stress testing involves pushing the application to its limits to assess its resilience and stability under extreme load conditions. Stress tests simulate peak load scenarios and measure how the application handles increased traffic, resource contention, and failures.

Conclusion:
By writing unit tests and performance tests for FastAPI applications, developers can ensure code quality, reliability, and scalability. Unit tests validate the functionality of individual components, while performance tests evaluate the application’s responsiveness and efficiency under different load conditions. By integrating testing into the development process, developers can identify and fix issues early, optimize application performance, and deliver high-quality, stable applications to users.